Detail: Could not connect to 192.168.2.33


#1

Please fill out the fields below so we can help you better.

My domain is: nas.mg-bgrahic…

I ran this command:sudo ./certbot-auto certonly

It produced this output:

Domain: nas.mg-bgraphic…
Type: connection
Detail: Could not connect to …external ip…

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My operating system is (include version):
Raspbian

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

At this moment you can only visit the website in httpS


#2

What is your domain name ?

I’m guessing that the DNS isn’t correct, but without your domain name I can’t check.


#3

nas.mg-bgraphic…

I got the file now :slight_smile: the only problem now is whenn i put the following line:
ssl_certificate /etc/letsencrypt/live/nas.mg-bgraphic…/fullchain.pem;
(instead of the line that was there :
ssl_certificate /etc/nginx/cert.pem;
ssl_certificate_key /etc/nginx/cert.key;
in

/etc/nginx/sites-available/default

NGINX wont start…
Do i miss the key file?


#4

Your thread title:

In your message:

What is it? 192.168.2.33? Or your external IP? :frowning:


#5

Nope it was the internal ip but i fixed that part … now i have a new problem :disappointed_relieved:


#6

That is mandatory for TLS, yes… But I’m sure your nginx log file has told you that already?

It’s located at /etc/letsencrypt/live/nas.mg-bgraphicspecials.nl/privkey.pem


#7

dont i need a .key file?


#8

Extensions aren’t relevant. .pem says something about the way de key (or cert) is encoded. But it’s the concents that matter.


#9

You are the best :slight_smile:


#10

It’s kinda Windows-ish to thing extensions are important… :smile: Unix/Linux/BSD et cetera doesn’t really care how it’s called. :slight_smile:


#11

Good to know!
The only thing i have to do now is create a cronjob so the cert will stay vallid :slight_smile:


#12

https://crt.sh/?q=nas.mg-bgraphi%

Just in case you thought that hiding a domain name partially made any sense.


#13

Plus, Discourse has an edit log :stuck_out_tongue:


#14

The error message says:

Detail: Could not connect to …external ip…

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

192.168.2.33 is a private IP address for you local LAN, that isn’t routable via the public internet. So, if you are trying to create a certificate for that IP, certbot won’t make one.

Depending on your requirements, you have two options:

  1. Setup NAT on your router to forward port 80 and port 443 traffic from your modem’s public IP to your LAN device’s private IP. Then change your DNS A name entry to the public IP address. Then try recreating the certificate.

  2. If you do actually need to create a valid certificate for a private IP address, this tutorial explains how: http://blog.thesparktree.com/post/138999997429/generating-intranet-and-private-network-ssl


#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.